Lenovo system update flaws plugged, security world not impressed

L is for Lenovo, lax, lackadaisical, loophole and many other words

Lenovo faces renewed accusations of lax security practices - just three months after the Superfish debacle - after it was obliged to fix flaws in its software update system.

Security researchers at IOActive uncovered a mechanism that would have allowed hackers to create a fake certificate authority in order to sign executables. The trick could be used to replace legitimate Lenovo programs with malware by hackers on the same untrusted wireless network, of the type commonly found in coffee-shops, pubs and transport hubs, as IOActive explains:

Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications. These applications will then be run as a privileged user. The System Update downloads executables from the Internet and runs them.

Remote attackers who can perform a man in the middle attack (the classic coffee shop attack) can exploit this to swap Lenovo’s executables with a malicious executable.

Separate vulnerabilities - also affecting Lenovo System Update 5.6.0.27 and earlier versions - meant that least-privileged users could run commands as a system user or an unprivileged user could run commands as an administrator*. IOActive discovered the vulnerabilities in February before notifying Lenovo and liaising in the development of a combined ix, released last month.

More details on the vulnerabilities can be found in an advisory by IOActive (here, pdf).

Security experts in academia and elsewhere were unimpressed that Lenovo had allowed a fairly basic security mistake to slip under its radar. Examples of their world-weary reaction on Twitter can be found here, here and here.

"Lenovo’s development and security teams worked directly with IOActive regarding their Lenovo System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," the computer maker said in a statement today.

Lenovo created a storm of controversy in February with its pre-installed Superfish crapware, which ran man-in-the-middle attacks against consumers in order to sling ads. The Chinese PC maker initially dragged its heels and insisted it had done nothing wrong before bowing to pressure and reversing its stance, saying it was done with bloatware. ®